Let’s Get Serious About Passwords

16 Nov Let’s Get Serious About Passwords

Too many passwords = Recycling simple passwords = Danger

Technology has delivered many marvellous things, but it comes with the burden of managing numerous passwords. Think about how many systems you access with a password. The list continues to grow year after year as many of us are even more active with online shopping, online banking and so on.

The common solution for many is to simply re-use the same password everywhere. What most us don’t realise is that this means if one account is comprised, “they” (hackers) have access to everything. The other solution we find many people do is to write their passwords down or record it in a document or spreadsheet that is itself not password protected.

Complexity of passwords can also make it difficult to juggle numerous passwords, especially when you’re told to have passwords with upper, lower case, numeric and non-alphanumeric characters. Try remembering Alb@troSS47$# and come up with a unique password for every system you access. That’s a very difficult task.

Store it (Safely)

So, if you can’t recycle passwords and are expected to use long complex combinations of letters, numbers and characters, the first thing we need to address is the ability to easily, and safely, record your passwords. After all, it’s easy to remember one long password but if you want to have as many unique passwords as you can, remembering them all becomes a challenge.

If you can easily and safely record passwords, you will be less inclined to recycle them and be more willing to use outrageously long complex passwords. Just remember, writing them down is never the answer. So, what is?

The good news is that there are several password storage applications including Dashlane, Keeper, 1Password and, the one we recommend, LastPass. We will reference features of LastPass in this article, but you will find these password storage applications have similar functionality.

LastPass is software you can install on your PC which will run on most web browsers. The software will detect passwords you enter and give you the option to save them in a secure database attached to a LastPass account you create. The next time you log into the same system in the browser, LastPass will offer to enter it for you. You can also store general passwords and other sensitive data (such as credit card details) in your LastPass account “Vault”. At any time, you can easily access this information from the LastPass app on your PC or smart phone. We strongly recommend you use a strong (long and complex) password for your LastPass account as well as Multi-Factor Authentication (see below) because your LastPass account is definitely something you don’t want others to access.

We’ve addressed the ability to juggle a large volume of passwords with the ability to keep them long and complex which is great. But then you go ahead and give someone your password. We don’t mean a co-worker or friend who you intentionally give it to (not that it’s good practice to do either!) We mean a hacker who successfully got you to enter your password in the wrong place. All that hard work diligently storing your passwords in a safe place, gone out the window.

Giving your password to hackers

Sometimes you can unintentionally hand over your password to people who choose to do harm. Take Phishing sites for example (that’s Phishing not fishing). Phishing sites are websites that are designed to look genuine but are used to lure you into entering your account details. They often result in people clicking on a link in an email telling them they need to urgently log into various systems (bank account, office.com) and change their password. They direct you to what seems like a legitimate website, but what they are after is for you to unknowingly enter your details including your password. There you have it, they now have your password.

And, if that’s not all, if you have the same password across the many systems you access, hackers will have further access to numerous accounts that have that same password. This is when your life can turn up-side-down.

So apart from being extra cautious about clicking on links that ask you to access your bank or your travel itinerary for a flight you never booked, what can you do to prevent hackers from getting in? One of the most effective methods is Multi-Factor Authentication.

Email Accounts – Gateway to Many Systems and Potentially Your Worst Nightmare

Before we get onto Multi-Factor Authentication, I’d like to cover one last thing you need to be mindful of, and that is the power of your email account. Your email account is particularly important and requires specific attention, for three simple reasons:

1. Your email account can act as a gateway to numerous systems. When you click on “forgot password” what do most systems do? They email you a link to reset your password. Gaining access to your email account means hackers can access all the web sites you use your email address to gain access to.
2. The other problem is that if someone can access your email account, they can manipulate people you deal with to send payment to overseas accounts. They do so by monitoring your email traffic and get an understanding of what you do. Hackers love getting access to email accounts of people who instruct others to pay bills. For example, managers approving invoices for accounts payable to pay. They will find invoices you regularly approve from a vendor, generate a fake invoice containing their own bank details, then email it to accounts payable to pay. This is far more common than you might think and happens quite a lot.
3. If hackers have access to sensitive information in your email account that you don’t want to be made public, they can hold you to ransom. They will threaten to release information or give you the option to pay using something that is difficult to trace back to them such as Bitcoins.

Your email account can be a gateway to many systems and a lot of headache if compromised. It requires a unique (not recycled) and complex password for example: ILoveFishingInTheRockyMountains@1978.

However, given its sensitivity for the above reasons and many more, you also need an additional factor required to gain access to your email account. This introduces Multi-Factor Authentication.

Go the extra mile with Multi-Factor Authentication

Let’s get serious here. Hackers have become more sophisticated and more and more accounts are being compromised every day. Nobody is immune to this menace including those of you who are diligent about what you do and hold back clicking on that tempting link in an email. The reality is that it’s only a matter of time before you inadvertently do something that gives your password away.

For added protection, use Multi-Factor Authentication (MFA) to access systems that provide this feature. It adds a tremendous level of protection for you and gives peace of mind if you’re worried about the possibility of hackers getting to your accounts. Multi-Factor Authentication strengthens the login process by requiring a second piece of information in addition to your password. This is a temporary code which is accessed by another device such as a mobile phone. If someone is able to get a hold of your password, they would not be able to log into your system without the additional temporary code. We recommend this level of security for your email accounts as a minimum. We use MFA for every system we use that supports it. You may already be familiar with MFA, where some systems such as banking sites use Multi-Factor Authentication by sending you a code by text to your mobile phone.

If you are a business owner, you can roll out password apps to your staff ensuring the passwords they use for their work systems are stored securely (no post it notes on screens). This also helps you retain that information when they leave the organisation.

VIP Summary

1. Don’t recycle passwords. Use a unique password for all systems especially your email account.
2. Find a safe way to store passwords. Post-it notes and Excel spreadsheets should never be used.
3. Use long complex passwords.
4. For critical systems including your email account, use Multi-Factor Authentication.
5. Be careful what you click when you get an email, especially one that tells you to enter or change your password.

This article is by no means an extensive list of the steps needed to prevent data theft but covers some of the most common problems people get themselves into. Following these steps can go a long way of minimising the risk of malicious access to your personal and business systems.

They’re simple to do so get yourself sorted today.

Stay cyber safe.

Synergise IT are specialists in security and back up disaster recovery. Should you like to know more about how to protect your business and systems, the team at Synergise IT are only too happy to assist. For more information visit: https://synergiseit.com.au/products/security or click here to start a conversation.